You Had Me at ToS

Published by Torry Crass on

Have you ever actually read a Terms of Service (ToS)?
After reading it, have you ever not accepted them and refused to use the service?

We typically agree that reading them is important but so few of us actually do just that.

Now what about at the business level, does someone at your company do that? How about reviewing those terms and contract language for concerning statements around security (or lack of)?

Yes… it gives all of us headaches.

For most, the answer will be no at the personal level and a few yeses at the business level. For me, the answer is mostly yes (and what you’ll see here is why).

This particular post is a story of not only protecting my data but trying to safeguard the contact data of my family, friends, colleagues and business contacts through looking at that pesky ToS.

We trust that the companies we share our data with are going to handle it appropriately, responsibly even, but how much do we care about how well they do, or even if they say they will (or won’t), until it personally affects us and our data due to theft or abuse? Can we change that?

Can we hold organizations to higher standards through reading the fine print and not using their products? Maybe…

Disclaimer… of sorts.

Quick Disclaimer: I cite the company and app that I was initially looking at using as the example in this post. They are not unique in what I cite here and unlike some that I’ve read, through their ToU they do tell you exactly what to expect. At least with that you can make an informed decision.

On with the story already!

I was recently looking for options to manage contacts I came across a particular application put out by a company called Simpler, that seemed to have reasonable reviews and possibly, a manageable product from a usage point of view.

Of course they do it is their name after all! Who doesn’t like simpler things?!?!

With yet another app on the download and almost in hand I took a closer look and that’s where all this effort quickly stopped and a post began.

I browsed on over to the local “terms of use” page to read just exactly how they were going to use all of this data I was considering granting their access to.

On this quest, one of the first things that I noticed was a lack of mention of any type of security considerations around their app and more important security of the data they were collecting.

For instance, there are no statements of data being stored encrypted on your phone or in their systems. I also need to point out that I didn’t use the application so I don’t have a way to confirm it’s storage methods (but I’ll update this if I receive specifics either way).

Most companies try to tout security features if they have them, leading me to believe that they’ve not considered security in their app or data.

But I digress, we came to look at ToS/ToU data, not whether or not our data is actually secure right? (maybe another time for that)

This particular application doesn’t appear to store your contacts data using encryption and if you read their terms of use they also let you know they’re going to take, not only your data, but also the contacts that you manage with them and they will use that data more or less as they see fit.

On to the Terms of Use…

In order to clearly review the parts of the ToU that I’m citing it’s important to define two terms first, services and content because they are the subject of the statements that follow.

Services are defined as: “…Simpler’s website or any of Simpler’s applications (each, an “App”), including: Simpler Contacts, Smart Merge, Cleaner, Easy Backup, Text 2 Group, Mail 2 Group, Simpler Dialer, Simpler Merge, Simpler Backup & Simpler Dialer and your use of Simpler’s website (collectively, “Services”).”

Content is defined as: “…(including, but not limited to, shared messages, your contact list (i.e. address book) stored on your device) that you upload, share, backup or transmit through our Services (including information submitted from your social network account, if applicable), manually or automatically (collectively: “Content”).”

https://www.simplercontacts.com/terms-of-use

Alright now that those two terms are defined we can look at three key statements in the ToU that caused me to “nope, nope nope” out of using this product.

“We may also use your contacts and other data that we collect from other sources to enrich Simpler’s database with current and up to date contact information (e.g. emails, names, phone numbers).”

https://www.simplercontacts.com/terms-of-use

Okay, so this statement isn’t too bad and you can certainly argue it’s the price to pay to have better, more accurate, valid, information on your end as well since they imply that you’ll benefit from the updated information as well.

“you have the written consent, release, or permission of each identifiable individual person referenced in your Content to use their name, contact details (e.g. emails, phone numbers), etc. as part of the Services;”

https://www.simplercontacts.com/terms-of-use

Wait… I do? You mean every person in my address book I have to get permission from in order to use this application? You’re kidding right? I would love to see the statistics for how many of the users of this application have actually

“By using our Services, you acknowledge and agree that we will share contact information with other users our affiliates and business partners for the purpose of ensuring that their current contact information is up to date. You acknowledge that you have the rights and permissions required to allow us to share such contact information.”

https://www.simplercontacts.com/terms-of-use

So again we see a requirement to have “rights and permissions” but beyond that concern it now clearly states that not only will they share the data with their user base in an internal manner but “affiliates and business partners” can mean and include a very broad list. So does that mean if a company engages them (pays… making me a business partner) to construct lists for the purchasers use? There’s certainly not a restriction to this.

So let’s kick this up one additional notch and say you’re a very diligent person with your contacts and you capture the default contacts data listed in the Apple iOS Contacts app.

That data being: name, company, phones, emails, url, address, birthday, additional dates, related names, social profiles, instant message profiles, and notes.

While this data may not be as sensitive as say your SSN or certain other PII, there is still enough here to have concerns about who has access to and how the data is authorized for use, not to mention if the challenges if the company has any breach situations (remember no mention of encryption right).

All in all, our mobile applications and tools for managing our daily lives are indispensable. They provide us important optimizations and organization efficiencies that help us to keep pace with an ever evolving world.

It’s still important to take a few minutes to read that boring ToS/ToU we might be able to help safeguard our data and that of our friends and colleagues a bit in the process.

Make an informed decision today, you may be glad you did!

Categories: BusinessSecurity
Tags:

0 Comments

Leave a Reply

Related Posts

Scripting

HELK: Manually Import Windows Event Logs

Most logging solutions are set up to facilitate capture and storage of log data from live systems either sending logs to the server or by agents handling the log transportation. HELK is no different. However, Read more…

Security

Remove Gmail Archived Messages

Many many moons ago I setup a gmail account to use as a collection bin for garbage messages (spam) and the like. When I set it up, I didn’t change the options within the mailbox Read more…

Security

Solid State Drive Erasure Using hdparm

Not that long ago it was simple enough to spin up a system with a CD or USB load of DBAN or some other utility to perform a data wipe on a system. With the increasing prevalence of Solid State media these methods have needed to change.